Privacy statement on the processing of personal data of suppliers under art. 13 GDPR

Providers Policy

WEP SARL, with registered office in Lyon (France), 12 Quai de Saint-Antoine 69002 (tel. 0033 04 72 40 04, e-mail: dataprotection@wep.org) as Data Controller (hereinafter, “Data controller”), informs you pursuant the (EU) Regulation no. 679/2018 (“GDPR”) and the applicable national Data Protection law, that your personal data shall be processed according to the following modalities and for the following purposes.

1) Scope of Data Processing

The Data Controller processes the following personal data, identifying and not sensitive/particular (in particular name, surname, business name, address, e-mail, phone number, VAT no, etc…), communicated by you as supplier of the Data Controller on the basis of the contractual (hereinafter “Data” or “Personal Data”).

2) Purposes and legal basis of Data Processing

Your personal data shall be processed, without your prior consent, for the following purposes and legal basis:

  • the execution of the contract and the fulfilment of pre and post-contractual obligations, in particular:

    a) the management of contractual and pre-contractual relationships;

    b) the management of payment and receipts;

    c) the execution of the agreement.

  • the fulfilment by the Data Controller of legal obligations such as:

    a) compliance with the obligations established by laws, regulations or national and community legislations or imposed by the competent Authorities;

    b) the book-keeping and related obligations;

    c) the compilation and processing of tax returns and related requirements.

  • the pursuing of a lawful interest by the Data Controller, in particular:

    a) the exercising of rights by the Data Controller in Court and conducting of litigation;

    b) the prevention and identification of fraudulent activities;

3) Modalities of Data Processing

The processing of your Data is carried out, both via hardcopy and electronic modalities, by means of data collection, registration, organization, storage consultation, elaboration, amendment, selection, mining, confrontation, usage, interconnection, blockage, communication and destruction operations, in compliance with article 32 GDPR on security measures.

4) Access to data (the recipients or categories of recipients of the personal data)

Personal Data may be made accessible for the purposes mentioned above to employees and/or collaborators of Data Controller, in light of their role of persons in charge of the processing, under art. 29 of GDPR and/or to companies and third parties carrying out outsourcing activities on behalf of the Data Controller as external Data Processors, under article 28 GDPR. Data may be also communicated, upon their request, to control bodies, police or judiciary bodies, Tax Authority, ministerial bodies and competent Authorities, local Institutions and Tax Commissions, that will process them in their quality of independent Data Controllers for institutional purposes and/or pursuant to the law during investigations and controls. Moreover, your Data may be communicated to third parties (f.e. insurance funds, independent contractors, etc.) that will process them as independent Controllers to carry out activities that are instrumental to the above purpose.

5) Data transfer

The Data Controller does not transfer your personal data in extra-UE countries.

6) Storage of Data

The Data Controller shall process the Personal Data for the time necessary to fulfill the above purposes and anyway for a period not exceeding 10 years from the termination of the contractual relationship.

7) Data subjects’ rights

The Data Controller informs, under art. 15 – 22 GDPR, that you, as Data Subject, where limitations provided by the law are not applicable, shall be able to exercise the rights anytime by sending an email to privacy@wep.org or by post to the address of the Data controller. More particularly, data subjects has the right to:

  • obtain confirmation over the existence or inexistence of personal data relating you, even if not yet registered, and their communication in a comprehensible way;

  • obtain the indication and, if necessary, the copy of the i) source and category of personal data ii) logic applied in case the processing is performed by means of electronic instruments; iii) purposes and modalities of the processing; iv) identification references of the Data Controller and the Data Processors; v) subjects or categories of subjects to whom personal data may be communicated or who may come to know, in particular if recipients are extra-EU countries or international organizations; vi) period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; vii) existence of an automated decision-making process and, in this case, information about the logic involved, the significance and consequences for the data subject; viii) existence of adequate safeguards in case of transfer of personal data to an extra-EU country or international organization;

  • obtain, without undue delay, the update, the rectification or, whether you are interested, the integration of incomplete data;

  • revoke the consent granted at any time, easily, without impediments, using, when possible, the same channels used to provide them;

  • obtain the cancellation, the transformation into anonymous form or blocking of the data;

  • obtain the restriction of processing;

  • receive the personal data concerning you in a structured, commonly used and machine-readable format and transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is carried out by automated means;

  • oppose to whole or in part to the processing of personal data regarding you;

  • submit a data protection complain to the competent supervisory authority.


8) Data provision

The provision of Data for the above purposes is necessary and mandatory and any possible refusal to provide said Data entails the impossibility to establish or continue the contractual relationship with the Data Controller.

9) Automated decision making

The Data Controller does not carry on any automated decision making with your personal data.

The Data Controller

WEP SA